diff options
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch | 38 | ||||
| -rw-r--r-- | meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch new file mode 100644 index 0000000000..ef2eb48d61 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From 9e4ebb38ba85661ee62361f218d6c35ace502395 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alx Sa <cmyk.student@gmail.com> | ||
| 3 | Date: Sat, 3 May 2025 14:13:46 +0000 | ||
| 4 | Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation | ||
| 5 | |||
| 6 | Resolves #13910 | ||
| 7 | Since ICO can store PNGs, it's possible to create an | ||
| 8 | icon that's much larger than the stated image size and | ||
| 9 | cause a buffer overflow. | ||
| 10 | This patch adds a check to make sure the width * height * 4 | ||
| 11 | calculation does not overflow in addition to making sure it | ||
| 12 | doesn't exceed the maximum allowed size for that icon. | ||
| 13 | |||
| 14 | CVE: CVE-2025-5473 | ||
| 15 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b] | ||
| 16 | (cherry picked from commit c855d1df60ebaf5ef8d02807d448eb088f147a2b) | ||
| 17 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 18 | --- | ||
| 19 | plug-ins/file-ico/ico-load.c | 6 +++++- | ||
| 20 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
| 21 | |||
| 22 | diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c | ||
| 23 | index f44b805905..c144b6e2cd 100644 | ||
| 24 | --- a/plug-ins/file-ico/ico-load.c | ||
| 25 | +++ b/plug-ins/file-ico/ico-load.c | ||
| 26 | @@ -295,7 +295,11 @@ ico_read_png (FILE *fp, | ||
| 27 | png_read_info (png_ptr, info); | ||
| 28 | png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type, | ||
| 29 | NULL, NULL, NULL); | ||
| 30 | - if (w*h*4 > maxsize) | ||
| 31 | + /* Check for overflow */ | ||
| 32 | + if ((w * h * 4) < w || | ||
| 33 | + (w * h * 4) < h || | ||
| 34 | + (w * h * 4) < (w * h) || | ||
| 35 | + (w * h * 4) > maxsize) | ||
| 36 | { | ||
| 37 | png_destroy_read_struct (&png_ptr, &info, NULL); | ||
| 38 | return FALSE; | ||
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb index 064a797986..36b0712976 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | |||
| @@ -49,6 +49,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \ | |||
| 49 | file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \ | 49 | file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \ |
| 50 | file://CVE-2025-14422.patch \ | 50 | file://CVE-2025-14422.patch \ |
| 51 | file://CVE-2025-14425.patch \ | 51 | file://CVE-2025-14425.patch \ |
| 52 | file://CVE-2025-5473.patch \ | ||
| 52 | " | 53 | " |
| 53 | SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" | 54 | SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" |
| 54 | 55 | ||
